Enterprise FreeBSD/Linux Squid Proxy Server

Squid is the most popular high end web proxy used by both by small or big organizations and ISPs around the world. It improves web browsing performance and conserves bandwidth. It also has a very rich Access Control Lists (ACLs) which can be configured to act as superb filter and can also act as a firewall.

The Squid project, currently, is now being run entirely by volunteers. It has a small but very talented and professional group of developers. I request everybody using Squid to help this great project in their own respective ways. You can either participate directly in it’s development, or be a tester of it’s latest releases or you can simply submit articles.

Or best of all, if you have the resources, please donate to this great and wonderful project. Whatever you donate, no matter how much, will go towards it’s development and R&D which will benefit everybody and the internet community at large.

Please check the following URL for more details:

http://www.squid-cache.org/Intro/helping.dyn

This installation manual is for Squid-2.6.STABLE18 which is the latest as of today (23-Jan-2008). This How-To can be used either on Linux based Operating systems such as Debian and BSD based operating systems such as FreeBSD. For Solaris users, replace “make” with “gmake” and make sure that “/usr/sfw/bin” is in your PATH.

This guide below details the steps for creating a powerful Squid proxy server capable of serving thousands of users per second. Please refer to the graphs towards the end of this article for actual details.

Assumptions:

2 cache partitions /cache1 and /cache2 of size 20 GB each are created with OS installation
User squid and Group squid are created on OS
Incoming TCP connections are allowed on Port 3128
Local Bind caching name server is installed on OS
This How-To describes how to run a squid transparent proxy server in FreeBSD-6.x/Linux based operating systems in an enterprise/ISP environment serving thousands of users.

(1.) Download squid in /usr/local/src

cd /usr/local/src
wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE18.tar.gz

(2.) Unzip it’s contents

tar zxvf squid-2.6.STABLE18.tar.gz

(3.) Configure squid with the following parameters

–bindir=/usr/local/sbin \
–sysconfdir=/usr/local/etc/squid \
–datadir=/usr/local/etc/squid \
–libexecdir=/usr/local/libexec/squid \
–localstatedir=/usr/local/squid \
–enable-removal-policies=heap,lru \
–enable-storeio=diskd,aufs,coss,ufs,null \
–enable-time-hack \
–enable-snmp \
–with-large-files \
–enable-large-cache-files \
–prefix=/usr/local \
–disable-ident-lookups \
–enable-cache-digests \
–enable-underscores \
–enable-kill-parent-hack \
–enable-follow-x-forwarded-for

(4.) If all goes well, run

make all
make install

(5.) We need to tune squid.conf to suit our preferences

cd /usr/local/etc/squid
mv squid.conf squid.default.conf

(6.) Use the following squid.conf

############## Start of squid.conf ###########

cache_effective_user squid
cache_effective_group squid

#hosts_file /etc/hosts

#Only if you have other proxies running and want to use them as sibling peers
#Uncomment them
#cache_peer proxy1.example.com sibling 3128 3130 proxy-only
#cache_peer proxy2.example.com sibling 3128 3130 proxy-only
#cache_peer proxy6.example.com sibling 3128 3130 proxy-only

#Remove 127.0.0.1 if you don’t have a local caching name server
dns_nameservers 127.0.0.1 IP.OF.ISP.DNSSERVER

#debug_options ALL,1 33,2 28,9

acl all src 0.0.0.0/0.0.0.0

#offline_mode off

icp_query_timeout 1000

high_memory_warning 500 MB

#If you have 2 or more different links, use them for load-balancing
#tcp_outgoing_address IP.Address.2nd.Router

visible_hostname proxy.example.com

httpd_suppress_version_string on

cache_mem 64 MB

#cache_replacement_policy heap LFUDA
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF

cache_swap_low 90
cache_swap_high 95

maximum_object_size 131072 KB

########New test — Default is 8
maximum_object_size_in_memory 64 KB

#minimum_object_size 1 KB
#store_avg_object_size 20 KB

tcp_recv_bufsize 65535 bytes

ipcache_size 8192

fqdncache_size 8192

##If this proxy is also your gateway and if you want to block MSN messenger
##Uncomment the ACLs below

#acl msn-type req_mime_type -i ^application/x-msn-messenger$
#acl msn-type req_mime_type -i ^application/x-msnmsgrp2p
#http_access deny msn-type

#acl msnmessenger url_regex -i gateway.dll
#http_access deny msnmessenger
#acl msn req_mime_type -i ^application/x-msn-messenger
#http_access deny all msn

acl msnmess url_regex http://207.46.111.55/gateway/gateway.dll?
deny_info TCP_RESET msnmess
http_access deny msnmess

#forwarded_for on
#request_header_max_size 24 KB
#negative_dns_ttl 1 minutes
#positive_dns_ttl 1 hours
#negative_dns_ttl 60 seconds
#connect_timeout 60 seconds
#request_timeout 60 seconds
#pconn_timeout 30 seconds
high_page_fault_warning 10
high_response_time_warning 2000
client_persistent_connections off
server_persistent_connections on
half_closed_clients off

#If you need the high performace COSS storage scheme
#cache_dir coss /cache1/squid/coss 9216 max-size=131072 max-stripe-waste=16384 block-size=1024
#cache_dir coss /cache2/squid/coss 9216 max-size=131072 max-stripe-waste=16384 block-size=1024

#Diskd storage scehme
cache_dir diskd /cache1 6144 16 256 Q1=72 Q2=64
cache_dir diskd /cache2 6144 16 256 Q1=72 Q2=64

#Used for COSS only
#cache_swap_log /var/squid/%s

log_icp_queries off
cache_store_log none
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

emulate_httpd_log on

acl spammers dstdomain .maxonlinejob.com .max-online.biz .maxjob.info
deny_info TCP_RESET spammers
http_access deny spammers

ftp_user ftpuser@example.com
cache_mgr squidadmin@example.com

#Block some comme Microsoft bugs
acl msnbug url_regex http://msgr.dlservice.microsoft.com/download/1/A/4/1A4FEB1A-18E0-423A-B898-F697402E4F7F/I nstall_Messenger.exe
deny_info TCP_RESET msnbug
http_access deny msnbug

acl msnbug2 url_regex http://msgr.dlservice.microsoft.com/download/4/b/c/4bc83bb2-18dd-486f-943f-332a9b3e01dc/Install_MSN_Messenger_DL.exe
deny_info TCP_RESET msnbug2
http_access deny msnbug2

#No cache for the following sites
acl newssites dstdomain .cnn.com .bbcnews.com
no_cache deny newssites

refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims

#Try to cache some google Earth stuff
acl QUERY urlpath_regex cgi-bin \? intranet
acl forcecache url_regex -i kh.google keyhole.com
no_cache allow forcecache
no_cache deny QUERY

#Don’t cache dynamic content
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

refresh_pattern -i kh.google 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i keyhole.com 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#Only if you want your Squid box to cache aggressively, not recommended

#refresh_pattern -i \.gif$ 600 50% 10080
#refresh_pattern -i \.jpe?g$ 600 50% 10080
#refresh_pattern -i \.tif?f$ 600 50% 10080
#refresh_pattern -i \.png$ 600 50% 10080
#refresh_pattern -i \.mov$ 600 50% 10080
#refresh_pattern -i \.qt$ 600 50% 10080
#refresh_pattern -i \.avi$ 600 50% 10080
#refresh_pattern -i \.mpe?g$ 600 50% 10080
#refresh_pattern -i \.wav$ 600 50% 10080
#refresh_pattern -i \.au$ 600 50% 10080
#refresh_pattern -i \.aif?f$ 600 50% 10080
#refresh_pattern -i \.ps$ 360 30% 10080
#refresh_pattern -i \.pdf$ 360 30% 10080
#refresh_pattern -i \.gz$ 360 30% 10080
#refresh_pattern -i \.Z$ 360 30% 10080
#refresh_pattern -i \.zip$ 360 30% 10080
#refresh_pattern . 180 50% 10180

#Configure downloading even after aborted requests.
quick_abort_min 0 KB
quick_abort_max 0 KB
#quick_abort_pct 99

negative_dns_ttl 2 minutes

acl mynetwork src 192.168.0.0/24 172.16.0.0/24 10.0.0.0/24

acl nimda urlpath_regex .*/winnt/system32/cmd.exe.* .*/MSADC/root.exe..c.dir$ .*/scripts/root.exe..c.dir$
acl Newvirus urlpath_regex .*/Cgi-bin/!Vip.exe.* .*/LE/isapitest.dll.*
acl BadURL urlpath_regex -i cmd.exe
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 2082 2083 2086 2087 2093 2095 2096
acl Safe_ports port 80 21 443 563 70 210 8000 11999 2082 2083 2086 2087 2095 2096 8082 8090
acl CONNECT method CONNECT
acl worm dst 63.251.5.47 65.74.168.210
acl worm1 dstdomain kyamzaa.virtualave.net/com.exe
acl worm2 dstdomain kyamazza.virtualave.net/dos.exe

acl VIRUS urlpath_regex winnt/system32/cmd.exe?
acl VIRUS urlpath_regex ^/osa..gif
acl VIRUS urlpath_regex ^/./fils.php
acl VIRUS urlpath_regex ^/./999.jpg
acl VIRUS urlpath_regex ^/w.php
acl YAHOOATTACK urlpath_regex akamai.*yahoo.*config/login
acl INADDR_ANY dst 0.0.0.0/32
acl IpAddrProbeUA browser ^Mozilla/4.0.\(compatible;.MSIE.5.5;.Windows.98\)$
acl IpAddrProbeURL url_regex //[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/$

acl codered url_regex \/default\.ida$
http_access deny codered

acl gator_url url_regex \.gator.com
acl gator_domain_start dstdomain gator.com
http_access deny gator_url
http_access deny gator_domain_start

acl brazvir url_regex http://www.instituto.com.br/attackDoS.php
http_access deny brazvir

acl worm_url url_regex ^http://www.tradeexit.com/link1.html$
acl worm_url url_regex ^http://www.tradeexit.com/link2.html$
acl worm_url url_regex ^http://www.revistaprofashional.com.br/put?
acl worm_url url_regex ^http://www.putassp.com/put?
http_access deny worm_url

#Block uncessary microsoft updates
acl microsoft_url_1 urlpath_regex msdownload/update/v3-19990518/cabpool
http_access deny microsoft_url_1

###################
##virus
#acl mblock url_regex -i musicindiaonline.com

acl dangurl urlpath_regex -i \.id[aq]\?.{100,} # CodeRED
acl dangurl urlpath_regex -i /readme\.(eml|nws|exe) # NIMDA

#Remove transparent if you don’t want Squid to run transparently
http_port 3128 transparent

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny BadURL
http_access deny nimda
http_access deny Newvirus
deny_info TCP_RESET worm
http_access deny worm
http_access deny worm1
http_access deny worm2
http_access deny Codered
http_access allow mynetwork

http_access deny IpAddrProbeUA IpAddrProbeURL
deny_info TCP_RESET IpAddrProbeURL
acl OriginsThatComplainOfAbuse dstdomain .fencing101.com
http_access deny OriginsThatComplainOfAbuse
deny_info TCP_RESET OriginsThatComplainOfAbuse
acl soedirman dstdomain soedirman.gudangupload.com
http_access deny soedirman
http_access deny VIRUS
http_access deny YAHOOATTACK
http_access deny INADDR_ANY

acl PURGE method PURGE
http_access allow PURGE localhost
http_access deny PURGE

deny_info TCP_RESET all
http_access deny all

snmp_port 3001
acl queryme snmp_community SquidSnmpSecret

acl adminpc src 192.168.0.34/255.255.255.255
acl researchpc src 192.168.0.70/255.255.255.255
acl squidadminpc src 192.168.0.221/255.255.255.255
acl mgmtpc src 192.168.0.221/255.255.255.255

snmp_access allow queryme localhost
snmp_access allow queryme adminpc
snmp_access allow queryme researchpc
snmp_access allow queryme squidadminpc
snmp_access allow queryme mgmtpc
snmp_access deny all

icp_access allow mynetwork
icp_access deny all

miss_access allow all

append_domain .example.com

#Always direct allow to yahoo.com and hotmail.com
acl yahoo dstdomain login.yahoo.com
acl yahoo dstdomain mail.yahoo.com
acl hotmail dstdomain hotmail.com
always_direct allow yahoo
always_direct allow hotmail

ie_refresh on
######## End of squid.conf ###############

(6.) Initialize cache directories

/usr/local/sbin/squid -z

(7.) Run Squid Daemon

/usr/local/sbin/squid -D

(8.) Manually put the newly configured proxy server in your web browser and test web browsing.

If all goes well, Happy Squid Proxying !!!!!

As stated in the beginning, this proxy which you have just built is extremely powerful capable of serving thousands of users per second. To illustrate this, the graphs below are provided as a reference.

Number of users accessing Squid
Number of clients accessing the squid cache

 

Squid Traffic Usage per second

Squid traffic utilization per second

 

 

Squid Hit Ratio

Squid Hit Ratio (Almost an average of 40% bandwidth savings)

 

 

Squid Total Traffic

Squid total traffic processing ( 340 GB upload and 4.3 TB downlink! )

 

 

Advertisements

49 responses to “Enterprise FreeBSD/Linux Squid Proxy Server

  1. Thanks Tek providing such good information. It will be good if you also provide information about bandwidth shaping.

  2. You have # out some directives. What do you mean by that?
    You want us to hash out them as well or forget about the hash and use the values you have mentioned?

  3. Hi Roshan,

    It’s up to you if you want to use the hashed out directives.

    However, for example, if you don’t have siblings or parent cache peers, then the “cache_peer” directive won’t work!

    They are just there to illustrate a given functionality in Squid. Just hash (#) them out for the time being. You can always unhash and try them out in future.

  4. Hi, actually I wanted to know for the following things.

    #forwarded_for on
    #request_header_max_size 24 KB
    #negative_dns_ttl 1 minutes
    #positive_dns_ttl 1 hours
    #negative_dns_ttl 60 seconds
    #connect_timeout 60 seconds
    #request_timeout 60 seconds
    #pconn_timeout 30 seconds
    negative_dns_ttl 2 minutes

    You have hashed out them. I am new to this stuff so I was wondering if you prefer hashing the above values.

    P.S. you have repeated –with-large-files twice for ./configure.

  5. Hi Roshan,

    The following 2 compilation parameters are different:

    –with-large-files \
    –enable-large-cache-files \

    –with-large-files = enables support for large files (access.log, etc.)

    –enable-large-cache-files = enables support for large cache files (>2 GB). Please use them with caution because some operating systems may not support them.

    As I said before, you can experiment them by unhashing them.

    For more information and help, I suggest you the check out the following URLs:

    (1.) http://www.squid-cache.org/Versions/v2/2.6/cfgman/

    (2.) http://www.visolve.com/squid/squid26/contents.php

  6. Tek dai, Please check the second last line and 10th line of the parameters for ./configure. You have repeated –with-large-files twice.

  7. Hi Roshan,

    Oops. You are correct. I have indeed repeated the compilation parameter “–with-large-files ” twice!

    Thanks for pointing it out again. I have corrected it.

    Good luck with your Squid installation and configuration!

  8. Hello dai,

    I am going through the files again and again. This time I am wondering why you have no cache for bbc and cnn. I’m sure there are many other news sites too. http://www.ircache.net/cgi-bin/cacheability.py doesn’t shows that the object will remain in cache for a long time. I guess you want those sites to remain very accurate.

    Also why have you direct allowed hotmail and yahoo.

    since you are member of akamai, is it that you dont bother to cache such sites.

    How about not caching NPIX sites??

  9. Hi Roshan,

    This is just a sample configuration file to use.

    The always_direct directive only works if you have a parent cache.

    There is really no need to cache NPIX sites because it’s local bandwidth.

  10. Thanks Tek providing such good Squid configuration.
    May I need to clear cache from my cache directory or it will be clear automaicaly.
    Thank again.

  11. Hi Sumon,

    You don’t have to clear your cache directory in Squid.

    The directive “cache_dir” controls the overall size of your squid cache. Just set it to a value which is about 70% of your physical hard drive size which you have dedicated to your cache.

    Squid uses a cache replacement policy or algorithm which decides whether to keep or replace old existing objects in your cache.

    It does it for you automatically.

  12. Thank you for your quick response. Its really helping me.

  13. Hi Sumon,

    It’s good news to me that my articles are helping you out.

    It’s also good to hear from you from Bangladesh.

    By the way, how’s the general internet infrastructure in Bangladesh?

  14. Thanks teklimbu for helping me out. As for your query about the internet infrastructure of bangladesh, its still in the growth level. The bandwidth price is much high for the general consumers and the government policy about local providers are not too helpful.

    But the situation is improving, thanks god. Now there is growing need for broadband internet, so more capable local people are getting involved in this business and thats helping local consumers. With the help of cooperative people like you, new guys can run things better.

    I hope you will contiune helping guys like me in future to understand the nuts and bolts of linux technology. Thank you.

  15. tklimbu,

    wanted to ask you about ZPH patch, if you ever implemented or tried it?

    Best Regards,

  16. teklimbu

    You have mentioned things regarding the refresh pattern and the aggressiveness this can be on some images and sites … can you be more specific and if possible, how to detail whats to be in the refresh pattern and whats the logical scheme out of it ???

    Why the Update Managers don’t get cached that much (Antivirus Updates, rpm’s, deb’s , tgz , ms related updates ..etc …..)

    I much find Linux IpCop (just tested but not actually using) doing good things with squid url_rewrite update accelerator program not to mention it runs over old 2.4.34 linux kernel and squid configured using disabled-poll as shown below …

    Squid Cache: Version 2.6.STABLE17
    configure options: ‘–prefix=/usr’ ‘–disable-nls’ ‘–datadir=/usr/lib/squid’ ‘–mandir=/usr/share/man’ ‘–libexecdir=/usr/lib/squid’ ‘–localstatedir=/var’ ‘–sysconfdir=/etc/squid’ ‘–disable-poll’ ‘–disable-snmp’ ‘–disable-icmp’ ‘–disable-http-violations’ ‘–disable-ident-lookups’ ‘–enable-storeio=aufs,coss,diskd,ufs’ ‘–enable-ssl’ ‘–enable-underscores’ ‘–enable-ntlm-fail-open’ ‘–enable-removal-policies=heap,lru’ ‘–enable-delay-pools’ ‘–enable-linux-netfilter’ ‘–enable-basic-auth-helpers=NCSA,SMB,MSNT’ ‘–enable-ntlm-auth-helpers=SMB’ ‘–enable-useragent-log’ ‘–enable-referer-log’ ‘–with-pthreads’ ‘CFLAGS=-O2 -mcpu=i386 -march=i386 -pipe -fomit-frame-pointer’

    one thing also to mention the size of the storage scehme used L1 L2 regarding the Cache size and the proportional optimum values to use for directories and subdirectories across with the cache size and system performance … can u give a good advice for this setup …..
    COSS storage is good but still what are the optimal values in regards for fast performance response time ??

    One thing still obscure
    cache_mem 64 MB
    my system runs a 2GB ram … what are the good tweaks for this directive ????

    you didn’t mention anything regarding file descriptors … what happens when u get
    ” WARNING! Your cache is running out of filedescriptors ” in your cache.log file ????

    refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
    refresh_pattern update.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
    refresh_pattern download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
    refresh_pattern -i kh.google 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload
    refresh_pattern -i keyhole.com 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload

    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320

    #Only if you want your Squid box to cache aggressively, not recommended

    #refresh_pattern -i \.gif$ 600 50% 10080
    #refresh_pattern -i \.jpe?g$ 600 50% 10080
    #refresh_pattern -i \.tif?f$ 600 50% 10080
    #refresh_pattern -i \.png$ 600 50% 10080
    #refresh_pattern -i \.mov$ 600 50% 10080
    #refresh_pattern -i \.qt$ 600 50% 10080
    #refresh_pattern -i \.avi$ 600 50% 10080
    #refresh_pattern -i \.mpe?g$ 600 50% 10080
    #refresh_pattern -i \.wav$ 600 50% 10080
    #refresh_pattern -i \.au$ 600 50% 10080
    #refresh_pattern -i \.aif?f$ 600 50% 10080
    #refresh_pattern -i \.ps$ 360 30% 10080
    #refresh_pattern -i \.pdf$ 360 30% 10080
    #refresh_pattern -i \.gz$ 360 30% 10080
    #refresh_pattern -i \.Z$ 360 30% 10080
    #refresh_pattern -i \.zip$ 360 30% 10080
    #refresh_pattern . 180 50% 10180

    Best Regards

  17. GR8 tutorial Tek dai.
    I wanted to know how can i block particular words such as “sex” and porn” through squid in a website content.There are so many sites that dont have these words in the URL but have them in their content.Can this be done through squid alone without using third party linux software such as squidguard or Dansguardian?
    And Congrats man.Hope u are enjoying ur new job.Keep up the good work.

  18. Hi Ribesh

    You can block such things.
    Follow this:
    http://techspalace.blogspot.com/2008/01/blocing-pornography.html

  19. Hi, where can I change how much space it uses to store files? From 20GB to maybe 200GB. 🙂

  20. Hi Emil,

    Since I am using DISKD as an example here, to set the disk space to 200 GB to store cache files, I would change the following:

    cache_dir diskd /cache1 204800 16 256 Q1=72 Q2=64

    cache_dir diskd /cache2 204800 16 256 Q1=72 Q2=64

    However, I would advise you not to use such a big cache. It would be better to load balance your cache using many caches with smaller disk caches rather than using a very big cache.

  21. Thanks, does this setup save for example downloaded files in cache to speed up and save bandwidth? Or does it only save html,pictures and such small files?

  22. Hi teklimbu,
    you have given a gr8 tutorial, thanks
    i have a problem when i initialize the cache dir i get this error
    2008/03/25 18:03:43| parseConfigFile: line 261 unrecognized: ‘snmp_port 3001’
    2008/03/25 18:03:43| aclParseAclLine: Invalid ACL type ‘snmp_community’
    FATAL: Bungled squid.conf line 262: acl queryme snmp_community SquidSnmpSecret
    Squid Cache (Version 2.6.STABLE18): Terminated abnormally.
    Mar 25 18:03:43 blr-svr-wsktn-01 squid[11037]: [ID 702911 local4.alert] Bungled squid.conf line 262: acl queryme snmp_community SquidSnmpSecret

    what should i do, kindly help iam new to squid 😦

  23. Hi Anand,

    Have you configured Squid with the parameter “–enable-snmp” before compiling Squid?

  24. Tek,

    I have the following setup:
    Inet –> Router –> Client PC

    I’m looking to implement a proxy with webfilter/content filter. Is it possible to implement this without having to change anything on the client machines? I noticed that you have a tutorial on how to setup a bridge. Would that work?

  25. Tek,

    I have the following setup:
    Inet –> Router –> Ethernet Switch –> Client PC

    I’m looking to implement a proxy with webfilter/content filter. Is it possible to implement this without having to change anything on the client machines? I noticed that you have a tutorial on how to setup a bridge. Would that work?

  26. Hi Rocky,

    This setup will work in the following cases:

    (1.) With just 1 network card, if you are using a route map or WCCP in your router to forward web requests to the proxy server.

    Check my other article on WCCP in a FreeBSD machine for more details.

    (2.) This setup will also work if you have a load balancer in front of your proxy server requiring only 1 network card.

    (3.) Or basically, you can use 2 network cards on this proxy machine and use either IPTABLES (Linux) or IPFW (FreeBSD) to redirect web traffic to your proxy server. This proxy will need to be the default Gateway to your client’s network.

    (4.) Of course as you said, you can also use a bridge to transparently intercept your client’s web requests. You will need 2 network cards.

    The bridge would be something like this

    Internet –> Router –> Bridge –> Switch –> Client PC

    And yes, you don’t have to touch or change anything on your clients machines since this is an intercepting (transparent) proxy.

    Have fun and good luck.

  27. Tek,

    Thanks for clearing my options up for me. So basicially, I’m opting for option 4, since it requires no modification to my client pcs.

    Would following your article on a transparent linux squid bridge setup be my solution? Also, how hard would it be to also implement dansguardian into the mix? Would Debian Etch or Ubuntu work for this setup?

    If you wrote an article on this, that would be awesome.

    Thanks for you help.

    Rocky

  28. I notice the first msnbug you have listed has a space after the ‘I’ in the filename at the end of the url:
    “I nstall_Messenger.exe”
    Is this a typo or is there supposed to be a space?

  29. Hi fcspaul,

    Thanks for pointing it out.
    Yes it is a typo. There is no space in it.

  30. I have just finished setting up a new server to replace our aging proxy. I used the above settings as a starting point and have made some changes based on our needs. Unfortunately diskd is not working. We are attempting to use COSS for small files and diskd for larger files.

    This is installed on FreeBSD 7.0-RELEASE-p1. We are using squid 2.6.STABLE19.

    I keep seeing the following in the messages log:
    kernel: pid 8653 (squid), uid 100: exited on signal 6 (core dumped)
    squid[570]: Squid Parent: child process 8653 exited due to signal 6

    The cache.log has the following interesting entries:
    storeDiskdSend: msgsnd: (35) Resource temporarily unavailable
    storeDiskdSend: OPEN: (35) Resource temporarily unavailable
    assertion failed: diskd/store_io_diskd.c:554 “++send_errors < 100”

    Our squid.conf is identical to above except we added ntlm authentication, delay pools, and the following:
    cache_dir coss /cache1/squid/coss 6000 max-size=1000000 blo
    ck-size=512
    cache_dir diskd /cache1/squid/diskd 46080 16 256 Q1=72 Q2=64 min-size=1000000
    access_log /usr/local/squid/logs/access.log squid
    cache_swap_state /cache1/%s.state

    Any suggestions on what the problem might be or where I can look for answers?

  31. GR8 tutorial Tek dai.
    I wanted to know how can i block particular words such as “sex” and porn” through squid in a website content.There are so many sites that dont have these words in the URL but have them in their content.Can this be done through squid alone without using third party linux software such as squidguard or Dansguardian?
    Hope u are enjoying ur new job.Keep up the good work.

  32. create file with words you want to block, in this example /usr/local/etc/squid/porn.txt

    add to squid.conf:
    acl porn dstdom_regex “/usr/local/etc/squid/porn.txt”
    http_access deny porn

    thx.

  33. Hi Master Tiklumbo

    Sir im so sorry if dont know were to get start here after i unzip the tar zxvf squid-2.6.STABLE18.tar.gz

    (2.) Unzip it’s contents

    tar zxvf squid-2.6.STABLE18.tar.gz

    The Number 3 here sir i cannot follow or know how do next 😦 can you help me sir what to do plsss

    im so sorry asking like a 1 month old baby..

    (3.) Configure squid with the following parameters

    –bindir=/usr/local/sbin \
    –sysconfdir=/usr/local/etc/squid \
    –datadir=/usr/local/etc/squid \
    –libexecdir=/usr/local/libexec/squid \
    –localstatedir=/usr/local/squid \
    –enable-removal-policies=heap,lru \
    –enable-storeio=diskd,aufs,coss,ufs,null \
    –enable-time-hack \
    –enable-snmp \
    –with-large-files \
    –enable-large-cache-files \
    –prefix=/usr/local \
    –disable-ident-lookups \
    –enable-cache-digests \
    –enable-underscores \
    –enable-kill-parent-hack \
    –enable-follow-x-forwarded-for

    (4.) If all goes well, run

    make all
    make install

    (5.) We need to tune squid.conf to suit our preferences

    cd /usr/local/etc/squid
    mv squid.conf squid.default.conf

  34. Hi Ghanzkie,

    After unzipping the contents from:

    tar zxvf squid-2.6.STABLE18.tar.gz

    Change the directory to Squid’s Source directory:

    cd squid-2.6.STABLE18

    Once you are in that directory run the following:

    ./configure \
    –bindir=/usr/local/sbin \
    –sysconfdir=/usr/local/etc/squid \
    –datadir=/usr/local/etc/squid \
    –libexecdir=/usr/local/libexec/squid \
    –localstatedir=/usr/local/squid \
    –enable-removal-policies=heap,lru \
    –enable-storeio=diskd,aufs,coss,ufs,null \
    –enable-time-hack \
    –enable-snmp \
    –with-large-files \
    –enable-large-cache-files \
    –prefix=/usr/local \
    –disable-ident-lookups \
    –enable-cache-digests \
    -–enable-underscores \
    -–enable-kill-parent-hack \
    -–enable-follow-x-forwarded-for

    After that it should be fine.

    Hope it helps.
    Have fun.

  35. Sir Teklimbu im using Debian 2.6 sorry sir to ask many question…

    i already connect to network and ping the proxyserver 192.168.0.1 that we use here in our small office…

    its my first time to use linux Debian 2.6 and try to study how to create mailserver / fileserver/ and proxyserver using squid also other OS
    1st for me to know the SQUID PROXY sir i like to know more this program.

    Sir can u help and give me please a step by step and basic installation and understand how to install and configure to make it work…

    thank you sir more power….

  36. Hi,
    we are ISP and have to use SQUID PROXY server in FREEBSD with WCCP.but ip spoofing is not possible in FREEBSD.
    2)checked same in Linux there we can enable to ip spoofing through Tproxy patch. But we are not getting good perforamce and not able to able to open some of sites.
    3)we have almost 100 MBPS and 200 MBPS traffic site where we r planning to put WCCP squid proxy (With WCCP in cisco) either in FREEBSD or linux.

    Your suggestion is required for this.

  37. it’s good

  38. you can prevent spoofing using ipfw firewall rule with verrevpath

  39. hello, do you have a solutions with port 2095 because my case doesnt works well. Iam trying to sign in on my http://www.mydomain.com/webmail and they use port 2095 and never works.

  40. Dear Friends:

    Any one have idea about creating multiple http proxy ports like
    httpdd_port 3128
    httpd_port 8080

    and giving multi ACLs on multi http_ports…..

    Thanks for the advance reply to everyone.

  41. G’day,

    Gods, so many questions. 🙂

    You can use the ACL type “myport” to create ACLs which match on the http_port line.

    There’s freebsd tproxy like support – http://tproxy.no-ip.org/ has patches against freebsd-7.x. The support is in -current and will be freebsd-8.0. Squid doesn’t have support for the FreeBSD tproxy support but my Squid fork, Lusca, has FreeBSD tproxy code.

    To allow port 2095 you should look at the Safe_Ports ACL.

  42. Prakash Poudyal

    Hi,

    Is it possible to redirect the url like abc.com to xyz.com through squid.

    Thanks

  43. I just install squid on Ubuntu server 9.10 64 bit.
    As beginner, I just change a few lines in squid.conf to avoid problem and look how it affect my browsing experience. But now I have problem, as I cannot open several website mainly the website using flash.
    What should I do to solve this problem. Change the bit to 0 (zero) for ECN already done.

    Thanks.

  44. Hi Doddy,

    What is the exact error message that you get on your web browser?

    I assume you are manually putting the proxy server settings in your browser.

    Which websites are you having problems accessing?

    Also which squid version are you using?

  45. Quick Sample as my daughter like to play it. I use this Squid as transparent proxy.
    —————————————————
    ERROR
    The requested URL could not be retrieved

    The following error was encountered while trying to retrieve the URL: http://facebook.farmville.com/flash.php?

    Connection to 174.129.38.146 failed.

    The system returned: (110) Connection timed out

    The remote host or network may be down. Please try the request again.

    Your cache administrator is webmaster.

    Generated Tue, 01 Dec 2009 17:07:16 GMT by proxy (squid/2.7.STABLE6)
    ———————————————-
    http://www.toyota.co.id also cannot open.

    I use mikrotik as a router and trying to use squid as external proxy. Using mikrotik internal proxy don’t have this problem.

  46. Want to add that opening the mail.yahoo.com or even the https://dashboard.wordpress.com/wp-login.php will result in:

    ————————————————
    Secure Connection Failed

    An error occurred during a connection to login.yahoo.com.

    SSL received a record that exceeded the maximum permissible length.

    (Error code: ssl_error_rx_record_too_long)

    * The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

    * Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
    —————————————————–
    must revert back to not using Squid as external proxy at the moment.

  47. Hi !

    This is a great article.
    Your graphs shows very good performances for your proxy. Can you tell me the hardware specs used for that proxy ?
    And what did you use for making the graphs ?

    Thanks

  48. Is there a way to show the disk usage of the disk formatted with reiserfs filesystem ?

  49. Is there any way to graph the disk usages of the disk formatted with reiserfd filesystem ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s